PWS-Bancban was added in October 2003 to detect a malicious file called win32dll.exe.
The filesize is 241,664 bytes, the file is written using Borland Delphi and is internally compressed with UPX.
Selected information from the user is captured and transferred by e-mail using smtp engine to an @hotpop.com e-mail address, the exact address omitted on purpose. The password stealer is specifically looking for information from banking, searching for Banco, HSBC, Banespa, ITAU, Bank etc.
Upon execution it copies itself to the "windows" directory and to automatically load itself at the next startup it makes a standard "win32dll" registry entry under
||During november 2003 another variant of PWS-Bancban was discovered.
Included malicious files are:
-b.exe , 397519 bytes
-setup.exe , 122880 bytes.
-win32dll.exe , 635904 bytes
-wmsys32.exe , 655872 bytes